From c26f25213a70687820290a58189e58e687ef498c Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Thu, 28 Jul 2011 18:56:54 -0700
Subject: [PATCH] * xgselect.c (xg_select): Check for size calculation
 overflow.

Don't update size until alloc done.
---
 src/ChangeLog  |  3 +++
 src/xgselect.c | 12 +++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index 7a0543e46c5..b5c5afd7a1e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,5 +1,8 @@
 2011-07-29  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* xgselect.c (xg_select): Check for size calculation overflow.
+	Don't update size until alloc done.
+
 	* xfns.c: Integer and memory overflow fixes.
 	(x_encode_text, x_set_name_internal, Fx_change_window_property):
 	Use ptrdiff_t, not int, to count sizes, since they can exceed
diff --git a/src/xgselect.c b/src/xgselect.c
index 9ccdd37489f..d1844610077 100644
--- a/src/xgselect.c
+++ b/src/xgselect.c
@@ -54,10 +54,16 @@ xg_select (int max_fds, SELECT_TYPE *rfds, SELECT_TYPE *wfds, SELECT_TYPE *efds,
   do {
     if (n_gfds > gfds_size)
       {
-        while (n_gfds > gfds_size)
-          gfds_size *= 2;
+	int gfds_size_max =
+	  min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX) / sizeof *gfds);
+	int size;
+	if (gfds_size_max / 2 < n_gfds)
+	  memory_full (SIZE_MAX);
+	size = 2 * n_gfds;
+	gfds_size = 0;
         xfree (gfds);
-        gfds = xmalloc (sizeof (*gfds) * gfds_size);
+	gfds = xmalloc (sizeof *gfds * size);
+	gfds_size = size;
       }
 
     n_gfds = g_main_context_query (context,
-- 
2.39.2